Quote Originally Posted by Snatch View Post
Even if you dump the MBR with a boot disc, how would you know if it is a legitimate Microsoft MBR or a hacked one? Without something to compare with, it seems like it could still be difficult to detect.
I left that part out of my post. Mind working faster than the fingers

I would generate a series of signatures of valid MBRs. I would generate one of the current one, and compare it to the list. If you were comparing the "fixed part", and not the part that describes the boot device, "in theory" you could detect it. Also, barring some sort of ploymorphism, you could also check for signatures matching known exploits.